Security

Welcome to our Bug Bounty

Our security team constantly works at keeping customer information secure. We recognize the important role that independent security researchers and our user community play in helping to keep Actility and its users secure. If you discover a vulnerability, please notify us using the guidelines below.

Hall of fame

Guidelines

Actility will pay a bounty for certain security bugs, as detailed below. All security bugs should follow the following general criteria to be eligible:

Security bugs must be original and previously unreported.

Security bugs must be a remote exploit, the cause of a privilege escalation, or an information leak.

Submitter must not be part of Actility’s team or any of its subcontractors.

Our commitment

We will respond to your submission as quickly as possible.

As we work to fix the bug you submitted, we will keep you updated.

If you play by the rules, we will never take legal action against you.

Rules

Don’t attempt to gain access to another user’s account or data.

Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are NOT

Wait until a bug is fixed if you want to disclose it.

Only test for vulnerabilities located on Actility’s technologies.

Do not impact other users with your testing.

Do not use scanners or automated tools to find vulnerabilities.

Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our users, employees, or infrastructure.

When in doubt, contact us.

Rewards

The bounty for a valid and potentially exploitable security vulnerabilities will be between 50€ and 200€ cash reward. The bounty program encourages the earliest possible reporting of these potentially exploitable bugs.

We reserve the right not to pay bounties for security bugs in or caused by additional third party software.

Claiming a bounty

To claim a bounty:

– Make sure you have a Yogosha account
– If you don’t have a Yogosha account, claim one and mention “Actility” in the “message” field of your application.
– File a bug at Yogosha describing the security issue
– Attach a “proof of concept” and rate your Bug’s criticality using CVSS.

Please be available to follow along and provide further information on the bug you discovered as needed, and work with Actility’s engineers in reproducing, diagnosing, and fixing the bug.